Another day, another revelation about massive government data collection on citizens domestic and abroad, including (but not limited to) phone calls, Internet transactions, backdoors in encryption algorithms, man-in-the-middle attacks. Heck, for all we know, the NSA is probably behind the BGP hijacking that's been happening sporadically. Now we've learned that the NSA has been paying information technology vendors for backdoors.
In all of the tech press talking about new operating systems, new hardware, new processors, as well as advancements in storage, networking, and even security, this is the elephant in the room: Under no circumstances can we trust a piece of network hardware or software again, unless the code is available for inspection from stem to stern. From the code on the ASICs to the BIOS, OS, and the application itself, we need to see it. Every iota of trust has vanished.
What's the point of security anymore?
Protection against barbarians is one easy answer, but that's fairly easily handled. Firewalls, IDS, and network monitoring generally work well for those of little skill and a penchant for destruction.
But security used to be all about protecting corporate assets, intellectual property, negotiations, plans, and strategies. We lock down remote access with two-factor authentication. We have extensive audit trails of data and network access. We construct complex rules to permit users to access only the data that they should access, thereby reducing the potential for data loss. What does any of that matter if domestic and foreign governments are collecting that data anyway, using backdoors in the very tools we employ to protect ourselves?
When we deploy a strict new security plan, we do so in order to tighten down access to sensitive information. Nowhere in those plans or in the documentation from the software and hardware vendors does it say that by implementing their solution, we tacitly allow an external entity to access our network and our data — yet that's exactly what's happening.
Why bother securing anything other than basic firewalling and IDS anymore? What, exactly, are we protecting? If our efforts to secure our networks and our data have the adverse effect of permitting exactly the type of data leak we're fighting against, it would seem that there is no reason to do so.
This is a big problem, to put it mildly. The security industry is built on trust. We trust our commercial firewall vendor. We trust our certificate authority. We trust our encryption vendor, most of all.
We have to trust them. We have no other choice. We can't see their code, and we can't independently verify that they are on the up-and-up. We have to take their word that the service or software they provide is not only secure, but that they haven't purposefully allowed unknown third parties to gain backdoor access to our network through their products. Until recently, this was the turf of conspiracy theorists. Though we all knew it was possible, we never thought it was actually occurring. Now we know better.
Sign up for CIO Asia eNewsletters.